Let’s Encrypt for Windows 10

In this guide I will show you how to generate an SSL certificate using only Windows 10. Note — this guide does not cover renewals or automation, yet.

This article assumes you have some prior knowledge in the following
- DNS Records
- Windows Features
- SSL certificate


Recently, I have been faced with generating temporary SSL certificates for internal web servers . For this, Let’s Encrypt offers a great solution. Free 90-day certificates… with a caveat. Little to no official support for Windows operating systems.

Fortunately, Windows 10 Anniversary Update (1607) brings a new feature, aptly titled Bash on Ubuntu on Windows. This feature gives Windows a Bash terminal and Linux environment which you can run most Linux command-line tools, without the need for a Linux virtual machine!

Let’s Encrypt recommends the tool Certbot by EFF to generate, install and automate renewals. In the steps below, I show you how to generate the certificate files using this tool, for use in a web server of your choice.


Lets get started…

First things first, installing Bash on Ubuntu on Windows. I won’t be covering how to do this here, but you can follow this easy 5-step tutorial from MSDN.

Let’s Encrypt offers multiple methods for domain validation. In this example, we will be using a DNS Challenge. This involves modifying your DNS Zone to include a TXT record with a random string generated by Certbot, ensuring the request is for a domain you own.


Installing Certbot

Run the following commands in your Bash terminal. 
Note — you may need to prefix each command with sudo.

Add the Certbot repository

add-apt-repository ppa:certbot/certbot

Update package lists to include our new repository

apt-get update

Download & Install Certbot

apt-get install certbot

Now, we have installed Certbot, but how do we use it?

Generate the certificate

certbot -d secure.mydomain.com --manual --preferred-challenges dns certonly

Breaking it down

-d — Your domain
-manual — Provides manual instructions for obtaining a certificate
-preferred-challenges — Challenge type. In this example, we will be using the DNS challenge, as explained earlier in the article.

We’re asked “Are you OK with your IP being logged?”
Type Y and Enter to continue


The DNS Challenge

Go ahead and create this record in your public DNS zone. Here’s what mine looks like, using my providers CPanel interface.

CPanel Example

Important — Before pressing enter, you will need to verify the TXT record is valid and reachable. Due to the nature of DNS this can take anywhere from 5 minutes, to an hour.

Validate the record

Run the following from Command Prompt on your Windows device

NSLookup.exe -q=TXT _acme-challenge.secure.mydomain.com
If the record is available, you’ll see something like this

Now our record is active, Press Enter

Congratulations, your certificate has been generated!

Certbot will verify your DNS entry and upon success, will provide you with a valid 90-day SSL certificate. Now we have our certificate, we can export it to a format suitable for the web server.

Exporting the certificate

In this example, I will be installing the certificate into an IIS web server, which requires a PFX Certificate. PFX Certificates contain both the public and private key in a single file. We can do this using the OpenSSL package.

Installing OpenSSL

sudo apt-get install openssl

Now, with the OpenSSL package installed run the command

Important — Ensure your working directory is:/etc/letsencrypt/live/secure.yourdomain.com

openssl pkcs12 -export -out /tmp/certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

Now we have our PFX certificate at /tmp/certificate.pfx, we can move it somewhere accessible by our Windows device. I made a folder at C:\tmp, where I will copy the certificate to, using the command

cp /tmp/certificate.pfx /mnt/c/tmp

Congratulations, you now have a valid SSL certificate acessible and ready to use, all from your Windows device.